CVE-2026-1965

Name of the Vulnerable Software and Affected Versions libcurl (affected versions not specified)

Description libcurl may reuse an incorrect connection when handling Negotiate-authenticated HTTP or HTTPS requests. This occurs because libcurl maintains a pool of recent connections to avoid overhead. A logical error can cause a request to reuse a connection authenticated with different credentials than expected, as Negotiate sometimes authenticates connections rather than individual requests. Specifically, if an application authenticates with user1:password1 and then attempts another operation with user2:password2 while the first connection remains active, the second request might incorrectly reuse the connection associated with user1. The authentication methods are configured using the CURLOPT HTTPAUTH option.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.